Security Bulletin S25-01

Description

Certain vulnerabilities were identified in the End of Life (EOL) OVA based Connect component which is deployed for installation purposes in the customer internal network. This EOL component was deprecated in September 2023 with end of support extended till January 2024.

Note : These vulnerabilities are present only in the EOL OVA connect based deployment.

The following CVEs have been published for the identified OVA related vulnerabilities.

• CVE-2025-3837 - https://www.cve.org/CVERecord?id=CVE-2025-3837

• CVE-2025-3838 - https://www.cve.org/CVERecord?id=CVE-2025-3838

• CVE-2025-3840 - https://www.cve.org/CVERecord?id=CVE-2025-3840

Also, in the EOL OVA and binary installation (of SC2.0 client), the following misconfigurations were identified which could introduce additional risk to the system that hosts the SC2.0 client.

1. During the installation of the SC2.0 client, the SELinux component was configured to run in disabled state.
2. A few binary files belonging to the SC2.0 client were given excessive read and write permissions.
3. Secondary TLS authentication control in the SC2.0 handshake process had a weakness in its encryption mechanism on account of usage of common key.

Note: The above configurations have been called out in the documentation portal, but we want to explicitly mention in this bulletin given there are security risks associated with these configurations in the EOL OVA based Connect component.

Action Required

• Customers are advised to review the mitigation steps and follow the steps in this documentation link to mitigate these vulnerabilities and misconfigurations.
• For Saviynt Connect 2.0 binary installations, please refer to the documentation hardening section in the link below

https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm#Enforce

Credits

Achmea Security Assessment Team (SAT)

Contact Information

Any questions may be directed to security@saviynt.com